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FOREWORD 


This  publication,  the  Subsystem  Evaluation  Report,  Clyde  Digital  Systems,  DIALBACK  Version 
1.5.  is  being  issued  by  the  National  Computer  Security  Center  under  the  authority  of  and  in 
accordance  with  DoD  Directive  5215.1,  "Computer  Security  Evaluation  Center."  The  purpose  of 
this  report  is  to  document  the  results  of  the  evaluate 'n  of  Clyde’s  DIALBACK  Version  1.5.  Any 
requirements  stated  in  this  report  are  taken  from  Department  of  Defense  Trusted  Computer  System 
Evaluation  Criteria,  dated  December  1985. 
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EXECUTIVE  SUMMARY 

The  Clvde  DIALBACK1 2  Version  1.5  is  intended  to  serve  as  a  user  authentication  mechanism  for 
use  with  any  VAX/VMS~  systems.  Since  DIALBACK  is  a  security  subsystem  rather  than  a 
complete  system,  it  was  not  evaluated  against  an  entire  class  in  the  Department  ofDefen.se  Trusted 
Computer  System  Evaluation  Criteria,  dated  December  1985,  hereafter  referred  to  as  the  "r nteria." 
.Rather,  it  was  assessed  as  to  how  well  it  performs  use'-  authentication  and  audit  of  dial-in  event... 

The  evaluation  team  has  determined  that  DIALBACK  is  a  useful,  effective  authentication 
mechanism  when  configured  as  specified  in  this  report. 

Precaution  must  be  taken  in  th-*  administration  of  call-back  security  systems  because  they  rely  on 
the  proper  operation  of  generally  unsecure  telephone  systems.  Administrators  of  call-back  security 
systems  must  therefore  take  great  care  in  setting  up  such  a  ss  stem  so  that  they  do  not  create  a  situation 
that  instills  a  false  sense  of  security.  The  DIALBACK  documentation,  specifically  "Appendix  A", 
does  an  excellent  job  of  pointing  out  the  necessary  precautions  that  must  be  taken  in  order  to  secure 
such  a  system. 


1  DIAL. RACK  Version  1 .5  is  not  presently  supported  for  VAX/VMS  Version  5. 

2  VAX  and  VMS  are  trademarks  of  Digital  Equipment  Corporation. 
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INTRODUCTION 


Background 

_ w _ 

On  January  2.  1981,  the  Directot  of  the  National  Security  Agency  was  assigned  the  responsibility 
for  increasing  the  use  of  trusted  computer  security  products  within  the  Department  of  Defense.  -\s 
a  result,  the  DoD  Computer  Security  Center  was  established  at  the  National  Security  Agency.  Its 
official  charter  is  contained  in  DoD  Directive  5215.1.  In  September  1984,  National  Security 
Decision  Directive  145  (NSDD  145)  expanded  these  responsibilities  to  include  all  federal 
government  agencies.  As  a  result,  the  Center  became  known  as  the  National  Computer  Security 
Center  l  NCSC)  it.  August  1985. 


The  primary  goal  of  the  NCSC  is  to  encourage  the  widespread  availability  of  trusted  computer 
systems:  that  is,  systems  that  employ  sufficient  hardware  and  software  integrity  measures  for  use 
m  the  simultaneous  processing  of  a  range  of  sensitive  or  classified  information.  Such 
encouragement  is  brought  about  by  evaluating  the  technical  protection  capabilities  of  industry  and 
government-developed  systems,  advising  system  developers  and  managers  of  their  systems’ 
suitability  for  use  in  processing  sensitive  information,  and  assisting  in  the  incorporation  of  computer 
security  requirements  in  the  systems  acquisition  process. 


The  NCSC  Computer  Security  Subsystem  Evaluation  Program 

While  the  NCSC  devotes  much  of  its  resources  to  encouraging  the  production  and  use  of  large-scale, 
multi-purpose  trusted  computer  systems,  there  is  a  recognized  need  for  guidance  on,  and  evaluation 
ob  computer  security  products  that  do  not  meet  all  of  the  feature,  architecture,  or  assurance 
requirements  of  any  one  security  class  or  level  of  the  Criteria.  The  NCSC  has,  therefore,  established 
a  Computer  Security  Subsystem  Evaluation  Program. 

The  goal  of  the  NCSC’s  Computer  Security  Subsystem  Evaluation  Program  is  to  provide  computer 
installation  managers  with  information  on  subsystems  that  would  be  helpful  in  providing  immediate 
computer  security  improvements  to  existing  installations.  Managers  should  note  that  subsystems 
are  not  capable  of  protecting  information  with  such  assurance  that  classified  information  may  be 
maintained  on  a  system  protected  only  by  subsystems.  Neither  may  subsystems  be  used  to 
upgradethe  protection  offered  by  other  complete  security  systems  for  the  sole  purpose  of  adding 
the  ability  to  store  or  process  classified  material.  Subsystems  may  be  added  on  to  other  protection 
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devices  to  add  another  layer  of  security  but  in  no  way  may  be  used  as  justification  for  processing 
classified  material. 

Subsystems  considered  in  the  program  are  special-purpose  products  that  can  be  added  to  existing 
computer  systems  to  increase  security  and  implement  a  security  feature  from  the  TCSEC.  They 
also  have  the  potential  of  meeting  the  limited  security  needs  of  both  civilian  and  government 
departments  and  agencies.  The  scope  of  a  computer  security  subsystem  evaluation  is  limited  to 
consideration  of  the  subsystem  and  the  attached  system  and  does  not  address  or  attempt  to  rate  the 
overall  security  of  the  processing  environment.  To  promote  consistency  in  evaluations  an 
assessment  is  made  of  a  subsystem’s  security -relevant  performance  in  light  of  applicable  standards 
and  features  outlined  in  the  Criteria.  Additionally,  the  evaluation  team  reviews  the  vendor’s  claims 
and  documentation  for  obvious  flaws  which  would  violate  the  product’s  security  features,  and 
verifies,  through  functional  testing,  that  the  product  performs  as  advertised.  Upon  completion,  a 
summary  of  the  evaluation  report  will  be  placed  on  the  Evaluated  Products  List. 

The  report  will  not  assign  a  specific  rating  to  the  product,  but  will  provide  an  assessment  of  the 
product’s  effectiveness  and  usefulness  in  increasing  computer  security. 
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Product  Overview 

The  DIALBACK  system  is  an  add-on  security  product  which  is  designed  to  provide  user 
authentication  tor  any  VAX/VMS  system  by  providing  the  capability  to  redial  users  at  their 
pre-assigned  telephone  number.  It  consists  of  several  software  utilities  that  are  designed  to  provide 
the  security  mechanisms.  These  utilities  attempt  to  provide  the  ability  to  control  dial-in  lines  and 
include  database  management  utilities  that  configure  the  product.  When  DIALBACK  is  installed, 
these  utilities  are  copied  to  the  VMS  system.  Once  there,  they  must  be  protected  through  the  use 
of  VMS  security  mechanisms. 

After  installation  and  incorporation  of  the  patches  found  in  the  DIALBACK  documentation,  the 
system  is  designed  to  be  used  in  the  following  manner.  A  DIALBACK  user  dials  the  VMS  system 
from  his  modem.  Once  connected,  DIALBACK  prompts  the  user  for  his  DIALBACK  ID. 
DIALBACK  then  drops  the  connection  and  redials  the  user  at  a  pre-assigned  telephone  number 
located  in  DIALBACK’s  database.  Upon  reconnection,  DIALBACK  prompts  the  user  for  his 
DIALBACK  password  and  compares  it  with  the  password  in  DIALBACK’s  database  associated 
witn  me  re -dialect  user,  therelore,  DIaLBACK  attempts  to  insure  that  system  access  is  only 
permitted  trom  kno>Mi,  pre-authori/ed  locations  (i.e.  telephone  numbers)  by  DIALBACK 
authenticated  users. 


DIaLBACK  IDs.  passwords,  and  re-dial  telephone  numbers  are  all  set  by  the  DIALBACK 
Administrator.  It  is  assumed,  though  not  required,  that  all  DIA  uiinLlv  iLJN  in c  tiiC  otinlC  as  their 
VMS  Username  counterparts,  for  auditing  and  simplicity  purposes.  DIALBACK  acts  as  a  front-end 
authenticator  and  docs  not  pass  any  information  to  VMS’s  LOGINOUT. 

The  DIALBACK  Administrator  is  expected  to  set  the  appropriate  Access  Control  Entries  (ACEs) 
and  User  Identification  Code  (UIC)  based  protection  mechanisms  such  that  only  authorized  users 
are  able  to  access  the  DIALBACK  executables  and  databases. 
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Evaluation  of  F  unctionality 

When  configured  correctly,  DIAERACK  can  provide  an  additional  authentication  mechanism  in 
VAX/VMS  systems.  DIAERACK  prompts  for  a  user  identifier  when  it  receives  a  call.  It 
DFAEBACK  receives  a  valid  identifier,  the  product  drops  the  connection  with  an  appropriate 
message  and  proceeds  to  redial  the  user  at  the  specified  number.  The  user  is  then  prompted  to  enter 
his  DIAl.BACK  password  to  gain  access  to  the  system.  In  addition,  DIALBACK  mdits  all  login 
attempts  and  the  success  or  failure  of  each  redial. 


Evaluation  of  Documentation 

The  DIAERACK  documentation  consists  of  three  manuals,  the  1)1  M  BACK  Installation  Manual. 
March  P>s7,  the  DIM  BACK  I  ‘sir’s  Manual.  March  PL's?,  and  the  1)1  M  B  4<  K  IB  fawn  Manual. 
March  P>*7.  the  DIAERACK  Version  1.5  Release  Notes,  and  "Appendix  A"  (included  in  the 
Release  Notes  for  incorporation  in  the  DIAl.BM  K  Rv  (arena-  Manual  i.  These  documents, 
described  below,  contain  a  detailed  description  of  the  security  features  provided  In  DIAERACK 
The  documentation  assumes  a  knowledge  of  the  YANA  MS  operating  s\ stem  and  each  ot  the 
modems  used  to  implement  DIAERACK 


Installation  Manual 

1  nix  manual  o  intended  E  >r  the  sy  stem  admimN:rat« >r.  It  ■  -ontams  the  following  s  hapters; 

INSTALEINC.  DIALBACK  LOR  T  I  IF.  EIRSTTIME 

This  chapter  gives  detailed  instructions  concerning  the  initial  installation  of  DIALBACK 
onto  the  system. 


I  See  section  entitled  Product  in  a  Trusted  Environment  for  guidance  on  proper 
cc  nfiguration. 
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INS' T AI.LING  A  DIALBACK  UPGRADE 

This  chapter  gives  detailed  instructions  concerning  upgrading  DIALBACK  from  one 
\ ei'Mi'n  to  the  next. 

COM  ltd  RING  DIALBACK  FOR  YOUR  SYSTEM 

Th's  chapter  .s  divided  into  a  number  of  sections  that  explain  the  process  of 
enable  •:  dUa'ding  DIALBACK,  DIALBACK  macros,  the  DIALBACK  audit  log, 
settable  DIALBACK  parameters,  and  DIALBACK  flow  control. 

DIALBACK  FILES 

This  appendix  lists  all  DIALBACK  files  and  the  directories  in  which  they  must  be 
located. 

User's  Manual 

Tins  manual  is  addressed  to  all  DIALBACK  users.  It  contains  the  following  chapters: 

USING  DIALBACK 

I  his  chapter  gives  the  DIALBACK  user  an  introduction  to  the  DIALBACK  system  and 
summarizes  the  step  b\  step  procedure  lor  logging  in. 

GLOSSARY  OF  TERMS 

d  his  appendix  defines  terms  the  DIALBACK  user  may  not  be  familiar  with. 

if  hcreme  Manual 

!  ."'a’  ■  1  ;  •  wc  bed  '•  :  1  •  DIM  BACK  Svs'ein  Administrator  It  describes,  in  detail,  the  use 

■  U!V  . e  r  .  ■ ;  i .  i  w  ‘  ■  ?e  p  contains  the  following  chapters: 
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COMMAND  LINE  FORMAT 

This  chapter  explains  the  commands  to  be  used  for  configuring  DIALBACK's  database. 
MACROS 

This  chapter  explains  what  DIALBACK  macros  are  and  how  to  use  them.  It  also 
explains  the  macros  that  come  with  DIALBACK  and  the  process  of  creating  custom 
macros. 

CONFIGURING  DIALBACK  FOR  UNSUPPORTED  MODEMS 

This  chapter  describes  how  to  configure  DIALBACK  for  those  modems  that  are  not 
supported  by  the  supplied  software. 

D I A  LB  AC  K  PA  R  A  \  1 ETH  R  S 

This  chapter  explains  each  DIALBACK  parameter  and  the  process  of  setting  and 
displaying  them. 

COM M A N D  R EFERENCE 

This  chapter  describes  each  DIALBACK  command  in  detail. 

APPENDIX  A  -  DIALBACK  SECURITY  CONSIDERATIONS 

This  Appendix  discusses  the  need  for  separate  dial-in  and  dial-out  lines,  displaying  a 
"Dialing  Back”  message  for  all  access  attempts,  and  auditing  invalid  DIALBACK  IDs.  It 
also  provides  macros  that  can  be  incorporated  into  DIALBACK  in  order  to  increase 
security. 
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THE  PRODUCT  IN  A  TRUSTED  ENVIRONMENT 

The  Clyde  DIALBACK  product  is  designed  to  provide  additional  authentication  on  VAX/VMS 
\vMems  by  providing  the  capability  to  redial  users  at  their  specified  phone  numbers,  thereby 
authenticating  the  user's  location  as  specified  by  the  system  administrator.  This  capability  can  be 
U'Cl'til  and  piovide  additional  authentication  functionality  and  assurance  to  a  system,  given  that  it 
N  properly  configured.  DIALRA  CK,  when  configured1  as  stated  below,  provides  this  assurance. 

SU’ARA'l  !•:  DIAL-IN/DI Al.-OUT  LINES  --  DIALBACK  and.  to  a  much  greater  degree,  the 
t-dephone  company  must  configure  each  telephone  line  as  either  dial-in  or  dial-out,  but  not  both. 
1  Ins  should  be  done  by:  configuring  each  dial-out  modem  such  that  it  is  in  originate  only  (no  auto 
i.nsueri  mode;  restricting  knowledge  of  the  dial-out  numbers;  and  requesting  telephone  lines  that 
the  telephone  company  has  configured  as  dial-out  only.  Unless  the  telephone  company  configures 
each  dial-out  line  such  that  they  are  not  valid  numbers  for  dialing  (  i.e.  the  telephone  company  will 
intercept  the  call  with  a  "Number  not  in  service"  message)',  there  is  no  way  DIALBACK  can  assure 
it  has  made  a  valid  connection. 

SIMILAR  "DIALING  BACK"  MESSAGES  FOR  VALID  AND  INVALID  USER  IDS  -  As 
shipped,  DIALBACK  displays  a  "Dialing  Back"  message  for  valid  user  IDs  and  no  message  for 
invalid  user  IDs.  There  is  a  patch  in  the  DIALBACK  documentation  that  will  correct  this  such  that 
either  the  "Dialing  Back"  message  or  no  message  will  be  displayed  for  both  valid  and  invalid  IDs. 

AUDI  1  OF  IN  VAFID  IDS  --  As  shipped,  DIALBACK  does  not  audit  login  attempts  using  invalid 
IDs.  'I  here  is  a  patch  in  the  DIALBACK  documentation  that  will  correct  this  such  that  use  of  both 
valid  and  invalid  IDs  is  audited. 

ADDING  A  DIALBACK  PASSWORD  —  As  shipped,  DIALBACK  relies  on  the  user's  location 
for  verifying  that  the  user  is  who  he  says  he  is.  In  other  words,  DIALBACK  authenticates  a  user’s 
location  as  opposed  to  the  user.  There  is  a  patch  in  the  DIALBACK  documentation  that  will  correct 
this  such  that  a  user  must  enter  both  a  valid  DIALBACK  ID,  password,  and  be  at  the  proper  location 
before  gaining  access  to  the  system  login. 


This  configuration  can  also  he  found  stilted  in  "Appendix  A  -  DIALBACK  Security 
Considerations"  of  the  DIALBACK  Reference  Manual. 


This  can  be  done  through  the  use  of  a  WATS  line. 
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Test  Procedures 


Testing  represents  a  significant  portion  of  a  subsystem  evaluation.  The  testing  performed  was 
primarily  functional  in  nature;  the  security  relevant  characteristics  of  the  product  were  compared 
against  the  claims  of  the  vendor.  The  functional  test  suite  of  this  product  focused  upon  the  following 
features:  I&A  and  Audit.  These  security  relevant  features  were  identified  in  the  DIALBACK 
Reference  Manual. 

This  test  suite  consisted  of  several  parts.  The  !&A  mechanism  was  tested  extensively,  including 
attempts  to  subvert  it  and  to  bypass  it  entirely. 

The  Audit  mechanism  underwent  extensive  testing  consisting  of  attempts  to  subvert  or  bypass  the 
mechanism  itself  and  attempts  to  corrupt  audit  data. 

All  tests  were  performed  on  a  VAX/VMS  Version  4  system. 


Test  Results 

The  test  results  described  below  are  oriented  toward  providing  the  evaluation  team’s  conclusions 
concerning  the  strengths  and  weaknesses  of  each  security  feature  provided  by  DIALBACK. 

When  configured  according  to  Appendix  A  of  the  DIALBACK  Reference  Manual  and  the 
configuration  stated  in  this  report,  DIALBACK  is  able  to  provide  additional  authentication 
assurance  to  VAX/VMS  systems.  The  evaluation  team  recommends  that  caution  be  taken  in  giving 
VAX/VMS  privileges  and  only  those  users  that  require  access  are  given  access  to  the  DIALBACK 
software,  databases,  and  audit  log. 


Authentication 


The  Authentication  meciianism  was  found  to  function  properly;  no  access  was  granted  to  the  system 
prior  to  entering  a  valid  DIALBACK  ID,  successful  redial,  and  entering  the  password  associated 


-9- 


August  29,  19XK 


DiALBACK  Final  Evaluation  Report 
PRODUCT  TESTING 


with  the  DIALBACK  ID  The  information  used  by  the  DIALBACK  was,  however,  found  to  be 
modifiable  by  any  user  having  certain  privileges,  access  control  entry,  or  User  Identification  Code 
access. 


Audit 


The  audit  records  were  found  to  contain  the  following  information:  time,  date,  event  type,  and  user 
name.  Audit  records  are  created  for  all  login  attempts  and  the  success  or  failure  of  each  redial. 

The  team  found  that  audit  information  could  be  damaged  and  changed  by  any  user  posessing  the 
necessary  VAX/VMS  privileges  or  access  control  entries  to  gain  access  to  the  audit  file.  Because 
the  audit  data  is  in  plain  text,  audit  information  is  open  to  intelligible  changes. 
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EVALUATOR’S  COMMENTS 

There  is  an  inherent  problem  with  all  call-back  security  systems  in  that  they  rely  on  the  proper 
operation  of  generally  unsecure  telephone  systems.  These  telephone  systems  can  easily  be  spoofed. 
It  is  also  the  case  that  certain  features  provided  by  the  telephone  company  (such  as  call  forwarding) 
could  be  used  to  exploit  call-back  security  mechanisms.  Modems  are  only  so  "smart"  in  that  they 
can  also  he  spoofed  into  believing  they  are  "talking”  to  the  telephone  system.  Administrators  of 
call-back  security  systems  must  therefore  take  great  care  in  setting  up  such  a  system  so  that  they  do 
not  create  a  situation  that  instills  a  false  sense  of  security.  The  DIALBACK  documentation, 
specifically  "Appendix  A",  does  an  excellent  job  of  pointing  out  the  necessary  precautions  that  must 
be  taken  in  order  to  secure  such  a  system. 

It  should  also  be  noted  that  such  products  also  rely  on  the  protection  mechanisms  provided  by  the 
host  system.  A  DIALBACK  system  administrator  should  be  familiar  with  VAX/VMS  protection 
mechanisms  (User  Identification  Code  (UIC),  Access  Control  Entries  (ACE),  and  Priviledges)  such 
that  the  DIALBACK  software  and  databases  can  be  protected  from  unauthorized  access  and 
modification. 
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The  DIALBACK  system  ts  an  add  on  security  product  which  is  designed  to  provide  user  authentication 
for  any  VAX/VMS  system  by  providing  the  capability  to  redial  users  at  their  pre-assigned  telephone 
number  It  consists  of  several  software  utilities  that  are  designed  to  provide  the  security  mechanisms 
These  utilities  attempt  to  provide  the  ability  to  control  dial-in  lines  and  include  database  management 
utilities  that  configure  the  product  When  DIALBACK  is  installed,  these  utilities  are  copied  to  the  VMS 
system  Once  there,  they  must  be  protected  through  the  use  of  VMS  security  mechanisms  This  report 
documents  the  findings  of  the  evaluation 
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